<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en"><head><title>CloudAudit 1.0 - Automated Audit, Assertion,
    Assessment, and Assurance API (A6)</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="description" content="CloudAudit 1.0 - Automated Audit, Assertion,
    Assessment, and Assurance API (A6)">
<meta name="generator" content="xml2rfc v1.35 (http://xml.resource.org/)">
<style type='text/css'><!--
        body {
                font-family: verdana, charcoal, helvetica, arial, sans-serif;
                font-size: small; color: #000; background-color: #FFF;
                margin: 2em;
        }
        h1, h2, h3, h4, h5, h6 {
                font-family: helvetica, monaco, "MS Sans Serif", arial, sans-serif;
                font-weight: bold; font-style: normal;
        }
        h1 { color: #900; background-color: transparent; text-align: right; }
        h3 { color: #333; background-color: transparent; }

        td.RFCbug {
                font-size: x-small; text-decoration: none;
                width: 30px; height: 30px; padding-top: 2px;
                text-align: justify; vertical-align: middle;
                background-color: #000;
        }
        td.RFCbug span.RFC {
                font-family: monaco, charcoal, geneva, "MS Sans Serif", helvetica, verdana, sans-serif;
                font-weight: bold; color: #666;
        }
        td.RFCbug span.hotText {
                font-family: charcoal, monaco, geneva, "MS Sans Serif", helvetica, verdana, sans-serif;
                font-weight: normal; text-align: center; color: #FFF;
        }

        table.TOCbug { width: 30px; height: 15px; }
        td.TOCbug {
                text-align: center; width: 30px; height: 15px;
                color: #FFF; background-color: #900;
        }
        td.TOCbug a {
                font-family: monaco, charcoal, geneva, "MS Sans Serif", helvetica, sans-serif;
                font-weight: bold; font-size: x-small; text-decoration: none;
                color: #FFF; background-color: transparent;
        }

        td.header {
                font-family: arial, helvetica, sans-serif; font-size: x-small;
                vertical-align: top; width: 33%;
                color: #FFF; background-color: #666;
        }
        td.author { font-weight: bold; font-size: x-small; margin-left: 4em; }
        td.author-text { font-size: x-small; }

        /* info code from SantaKlauss at http://www.madaboutstyle.com/tooltip2.html */
        a.info {
                /* This is the key. */
                position: relative;
                z-index: 24;
                text-decoration: none;
        }
        a.info:hover {
                z-index: 25;
                color: #FFF; background-color: #900;
        }
        a.info span { display: none; }
        a.info:hover span.info {
                /* The span will display just on :hover state. */
                display: block;
                position: absolute;
                font-size: smaller;
                top: 2em; left: -5em; width: 15em;
                padding: 2px; border: 1px solid #333;
                color: #900; background-color: #EEE;
                text-align: left;
        }

        a { font-weight: bold; }
        a:link    { color: #900; background-color: transparent; }
        a:visited { color: #633; background-color: transparent; }
        a:active  { color: #633; background-color: transparent; }

        p { margin-left: 2em; margin-right: 2em; }
        p.copyright { font-size: x-small; }
        p.toc { font-size: small; font-weight: bold; margin-left: 3em; }
        table.toc { margin: 0 0 0 3em; padding: 0; border: 0; vertical-align: text-top; }
        td.toc { font-size: small; font-weight: bold; vertical-align: text-top; }

        ol.text { margin-left: 2em; margin-right: 2em; }
        ul.text { margin-left: 2em; margin-right: 2em; }
        li      { margin-left: 3em; }

        /* RFC-2629 <spanx>s and <artwork>s. */
        em     { font-style: italic; }
        strong { font-weight: bold; }
        dfn    { font-weight: bold; font-style: normal; }
        cite   { font-weight: normal; font-style: normal; }
        tt     { color: #036; }
        tt, pre, pre dfn, pre em, pre cite, pre span {
                font-family: "Courier New", Courier, monospace; font-size: small;
        }
        pre {
                text-align: left; padding: 4px;
                color: #000; background-color: #CCC;
        }
        pre dfn  { color: #900; }
        pre em   { color: #66F; background-color: #FFC; font-weight: normal; }
        pre .key { color: #33C; font-weight: bold; }
        pre .id  { color: #900; }
        pre .str { color: #000; background-color: #CFF; }
        pre .val { color: #066; }
        pre .rep { color: #909; }
        pre .oth { color: #000; background-color: #FCF; }
        pre .err { background-color: #FCC; }

        /* RFC-2629 <texttable>s. */
        table.all, table.full, table.headers, table.none {
                font-size: small; text-align: center; border-width: 2px;
                vertical-align: top; border-collapse: collapse;
        }
        table.all, table.full { border-style: solid; border-color: black; }
        table.headers, table.none { border-style: none; }
        th {
                font-weight: bold; border-color: black;
                border-width: 2px 2px 3px 2px;
        }
        table.all th, table.full th { border-style: solid; }
        table.headers th { border-style: none none solid none; }
        table.none th { border-style: none; }
        table.all td {
                border-style: solid; border-color: #333;
                border-width: 1px 2px;
        }
        table.full td, table.headers td, table.none td { border-style: none; }

        hr { height: 1px; }
        hr.insert {
                width: 80%; border-style: none; border-width: 0;
                color: #CCC; background-color: #CCC;
        }
--></style>
</head>
<body>
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<table summary="layout" width="66%" border="0" cellpadding="0" cellspacing="0"><tr><td><table summary="layout" width="100%" border="0" cellpadding="2" cellspacing="1">
<tr><td class="header">Network Working Group</td><td class="header">C. Hoff</td></tr>
<tr><td class="header">Internet-Draft</td><td class="header">Cisco Systems</td></tr>
<tr><td class="header">Intended status: Experimental</td><td class="header">S. Johnston</td></tr>
<tr><td class="header">Expires: January 6, 2011</td><td class="header">Google</td></tr>
<tr><td class="header">&nbsp;</td><td class="header">G. Reese</td></tr>
<tr><td class="header">&nbsp;</td><td class="header">enStratus</td></tr>
<tr><td class="header">&nbsp;</td><td class="header">B. Sapiro</td></tr>
<tr><td class="header">&nbsp;</td><td class="header">TELUS</td></tr>
<tr><td class="header">&nbsp;</td><td class="header">July 5, 2010</td></tr>
</table></td></tr></table>
<h1><br />CloudAudit 1.0 - Automated Audit, Assertion,
    Assessment, and Assurance API (A6)<br />draft-hoff-cloudaudit-00</h1>

<h3>Abstract</h3>

<p>CloudAudit provides an open, extensible and secure interface
      that allows cloud computing providers to expose Audit, Assertion,
      Assessment, and Assurance (A6) information for cloud infrastructure
      (IaaS), platform (PaaS), and application (SaaS) services to authorized
      clients.
</p>
<h3>Requirements Language</h3>

<p>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
      "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
      document are to be interpreted as described in <a class='info' href='#RFC2119'>RFC 2119<span> (</span><span class='info'>Bradner, S., &ldquo;Key words for use in RFCs to Indicate Requirement Levels,&rdquo; March&nbsp;1997.</span><span>)</span></a> [RFC2119].
</p>
<h3>Status of this Memo</h3>
<p>
This Internet-Draft is submitted  in full
conformance with the provisions of BCP&nbsp;78 and BCP&nbsp;79.</p>
<p>
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF).  Note that other groups may also distribute
working documents as Internet-Drafts.  The list of current
Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.</p>
<p>
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any time.
It is inappropriate to use Internet-Drafts as reference material or to cite
them other than as &ldquo;work in progress.&rdquo;</p>
<p>
This Internet-Draft will expire on January 6, 2011.</p>

<h3>Copyright Notice</h3>
<p>
Copyright (c) 2010 IETF Trust and the persons identified as the
document authors.  All rights reserved.</p>
<p>
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document.  Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.</p>
<a name="toc"></a><br /><hr />
<h3>Table of Contents</h3>
<p class="toc">
<a href="#anchor1">1.</a>&nbsp;
Introduction<br />
<a href="#anchor2">2.</a>&nbsp;
Notational Conventions<br />
<a href="#discovery">3.</a>&nbsp;
Discovery<br />
&nbsp;&nbsp;&nbsp;&nbsp;<a href="#anchor3">3.1.</a>&nbsp;
Repository<br />
&nbsp;&nbsp;&nbsp;&nbsp;<a href="#anchor4">3.2.</a>&nbsp;
Links<br />
<a href="#anchor5">4.</a>&nbsp;
Enumeration<br />
<a href="#anchor6">5.</a>&nbsp;
Namespaces<br />
&nbsp;&nbsp;&nbsp;&nbsp;<a href="#anchor7">5.1.</a>&nbsp;
Glossary namespace<br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#anchor8">5.1.1.</a>&nbsp;
Examples<br />
&nbsp;&nbsp;&nbsp;&nbsp;<a href="#anchor11">5.2.</a>&nbsp;
Service namespace<br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#local-assertions">5.2.1.</a>&nbsp;
Local Assertions<br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#remote-assertions">5.2.2.</a>&nbsp;
Remote Assertions<br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#anchor18">5.2.3.</a>&nbsp;
Third-party Assertions<br />
<a href="#anchor19">6.</a>&nbsp;
Digital Signatures<br />
<a href="#IANA">7.</a>&nbsp;
IANA Considerations<br />
<a href="#anchor20">8.</a>&nbsp;
Security Considerations<br />
<a href="#Acknowledgements">9.</a>&nbsp;
Acknowledgements<br />
<a href="#rfc.references1">10.</a>&nbsp;
References<br />
&nbsp;&nbsp;&nbsp;&nbsp;<a href="#rfc.references1">10.1.</a>&nbsp;
Normative References<br />
&nbsp;&nbsp;&nbsp;&nbsp;<a href="#rfc.references2">10.2.</a>&nbsp;
Informative References<br />
<a href="#anchor23">Appendix&nbsp;A.</a>&nbsp;
Initial Registry Contents<br />
<a href="#rfc.authors">&#167;</a>&nbsp;
Authors' Addresses<br />
</p>
<br clear="all" />

<a name="anchor1"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.1"></a><h3>1.&nbsp;
Introduction</h3>

<p>CloudAudit provides a common interface, naming convention, set of processes 
	  and technologies utilizing the HTTP protocol to enable cloud service providers 
	  to automate the collection and assertion of operational, security, audit, assessment, 
	  and assurance information. This provides duly authorized and authenticated consumers 
	  and brokers of cloud computing services to automate requests for this data and metadata.
</p>
<p>CloudAudit supports the notion of requests for both structured and unstructured data 
	  and metadata aligned to compliance and audit frameworks. Specific compliance framework
	  definitions and namespaces ("compliance packs")) will be made available incrementally.
</p>
<p>The first CloudAudit release is designed to be as simple as possible so as it can be
      implemented by creating a consistent namespace and directory structure and placement of
	  files to a standard web server that implements HTTP <a class='info' href='#RFC2616'>[RFC2616]<span> (</span><span class='info'>Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., and T. Berners-Lee, &ldquo;Hypertext Transfer Protocol -- HTTP/1.1,&rdquo; June&nbsp;1999.</span><span>)</span></a>.
      Subsequent releases may add the ability to write definitions and
      assertions, and to request new assertions be generated (e.g. a network
      scan). That is, while 1.x versions are read-only, subsequent releases
      may be read-write.
</p>
<p>A duly authorized and authenticated client will typically interrogate the service 
	  and verify compliance with local policy before making use of it. It may do so by checking
      certain pre-defined parameters (for example, the geographical location
      of the servers, compliance with prevailing security standards, etc.) or
      it may enumerate some/all of the information available and present it to
      an operator for a manual decision. This process may be fully automated,
      for example when searching for least cost services or for an alternative
      service for failover.
</p>
<p>As it is impossible to tell in advance what information will be of
      interest to clients and what service providers will be willing to
      expose, a safely extensible mechanism has been devised which allows any
      domain name owner to publish both definitions and assertions.
</p>
<a name="anchor2"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.2"></a><h3>2.&nbsp;
Notational Conventions</h3>

<p>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
      "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
      document are to be interpreted as described in BCP 14, <a class='info' href='#RFC2119'>[RFC2119]<span> (</span><span class='info'>Bradner, S., &ldquo;Key words for use in RFCs to Indicate Requirement Levels,&rdquo; March&nbsp;1997.</span><span>)</span></a>, as scoped to those conformance targets.
</p>
<p>This document uses the Augmented Backus-Naur Form (ABNF) notation of
      <a class='info' href='#RFC2616'>[RFC2616]<span> (</span><span class='info'>Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., and T. Berners-Lee, &ldquo;Hypertext Transfer Protocol -- HTTP/1.1,&rdquo; June&nbsp;1999.</span><span>)</span></a>.
</p>
<p>Additionally, the following rules are included from <a class='info' href='#RFC3986'>[RFC3986]<span> (</span><span class='info'>Berners-Lee, T., Fielding, R., and L. Masinter, &ldquo;Uniform Resource Identifier (URI): Generic Syntax,&rdquo; January&nbsp;2005.</span><span>)</span></a>: URI.
</p>
<a name="discovery"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.3"></a><h3>3.&nbsp;
Discovery</h3>

<a name="anchor3"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.3.1"></a><h3>3.1.&nbsp;
Repository</h3>

<p>Clients SHOULD detect support for CloudAudit by verifying that a
        HTTP GET or HEAD for the repository root (e.g.
        /.well-known/cloudaudit) is successful (e.g. "200 OK"). Clients MAY
        also verify that requests for invalid URLs (e.g.
        /.well-known/&lt;random&gt;) return an error (e.g. "404 Not
        Found").
</p>
<p>If clients do not confirm the existence of a CloudAudit repository
        then they may be susceptible to false negatives (e.g. falsely assuming
        an assertion is absent when in fact the entire repository is absent)
        and if they do not confirm the absence of errors for invalid URLs then
        they may be susceptible to false positives (e.g. falsely assuming an
        assertion is present when in fact any assertion is present).
</p>
<a name="anchor4"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.3.2"></a><h3>3.2.&nbsp;
Links</h3>

<p>Servers MAY specify the root of a CloudAudit repository in the HTTP
        Link: header and/or HTML LINK element with
        rel="http://cloudaudit.org". This allows one or more services to
        delgate requests to a single local or remote/third-party server.
        Clients SHOULD check for the presence of these links before assuming
        that there is a local CloudAudit repository.
</p><br /><hr class="insert" />
<div style='display: table; width: 0; margin-left: 3em; margin-right: auto'><pre>&lt;link rel="http://cloudaudit.org" href="http://example.com/.well-known/cloudaudit/com.example.ec2"&gt;</pre></div><table border="0" cellpadding="0" cellspacing="2" align="center"><tr><td align="center"><font face="monaco, MS Sans Serif" size="1"><b>&nbsp;HTML Discovery&nbsp;</b></font><br /></td></tr></table><hr class="insert" />
<br /><hr class="insert" />
<div style='display: table; width: 0; margin-left: 3em; margin-right: auto'><pre>Link: &lt;http://example.com/.well-known/cloudaudit/com.example.ec2&gt;; rel="http://cloudaudit.org"</pre></div><table border="0" cellpadding="0" cellspacing="2" align="center"><tr><td align="center"><font face="monaco, MS Sans Serif" size="1"><b>&nbsp;HTTP Discovery&nbsp;</b></font><br /></td></tr></table><hr class="insert" />

<a name="anchor5"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.4"></a><h3>4.&nbsp;
Enumeration</h3>

<p>Servers MAY render a HyperText Markup Language (HTML) response to a
      HTTP request for a directory containing an A or LINK element for every
      child with a HREF attribute containing the relative URL of the child.
      Clients MUST NOT rely on this functionality, which will vary from server
      to server.
</p>
<a name="anchor6"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.5"></a><h3>5.&nbsp;
Namespaces</h3>

<p>CloudAudit defines two namespaces; the glossary namespace which
      contains definitions and the service namespace which contains
      assertions. It relies on the Domain Name Service (DNS) to divide the
      glossary and service namespaces in an extensible fashion without relying
      on registries.
</p>
<p>A domain name (e.g. example.com) under the control of the party is
      broken into its components (e.g. example, com), reversed (e.g. com,
      example) and recombined (e.g. com.example). That party "owns" this
      namespace so long as the domain is registered to them and they may
      subdivide it with components in order to reference and/or categorise
      glossary definitions and service assertions. These MAY or MAY NOT
      represent valid hosts in the DNS.
</p>
<p>URI schemes and paths are NOT supported (e.g.
      https://example.com/cloud), however it is possible for a service to
      advertise an alternate name (e.g. cloud.example.com) via the HTTP Link
      header and/or HTML LINK element (<a class='info' href='#discovery'>Section&nbsp;3<span> (</span><span class='info'>Discovery</span><span>)</span></a>).
</p>
<a name="anchor7"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.5.1"></a><h3>5.1.&nbsp;
Glossary namespace</h3>

<p>The glossary allows clients to enumerate and/or resolve
        definitions, and to obtain additional documentation. Servers MUST
        provide a plain text representation and MAY provide alternative
        representations (such as HTML) via HTTP content negotiation.
</p>
<a name="anchor8"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.5.1.1"></a><h3>5.1.1.&nbsp;
Examples</h3>

<a name="anchor9"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.5.1.1.1"></a><h3>5.1.1.1.&nbsp;
Generic</h3>

<p>The following shows a client obtaining a definition for
            org.iso.3166-1.
</p><div style='display: table; width: 0; margin-left: 3em; margin-right: auto'><pre>&lt; GET /.well-known/cloudaudit/glossary/org/iso/3166-1 HTTP/1.1
&lt; Host: iso.org
&lt;
&gt; HTTP/1.1 200 OK
&gt; Content-Length: 24
&gt; Content-Type: text/plain
&gt;
&gt; ISO 3166-1 Country Codes</pre></div>
<a name="anchor10"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.5.1.1.2"></a><h3>5.1.1.2.&nbsp;
Compliance</h3>

<p>The following shows a client obtaining a defintion for
            gov.nist.crc.sp800-53.r2.
</p><div style='display: table; width: 0; margin-left: 3em; margin-right: auto'><pre>&lt; GET /.well-known/cloudaudit/glossary/gov/nist/crc/sp800-53/r2 HTTP/1.1
&lt; Host: nist.gov
&lt;
&gt; HTTP/1.1 200 OK
&gt; Content-Length: 102
&gt; Content-Type: text/plain
&gt;
&gt; NIST SP800-53 (Rev. 2) Recommended Security Controls for Federal Information Systems and Organizations</pre></div>
<a name="anchor11"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.5.2"></a><h3>5.2.&nbsp;
Service namespace</h3>

<p>Assertions can be made about the local service and/or remote
        service(s).
</p>
<a name="local-assertions"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.5.2.1"></a><h3>5.2.1.&nbsp;
Local Assertions</h3>

<p>Local assertions refer to the service(s) sharing the same URL
          end-point as the CloudAudit repository. They can be identified by
          the absence of a '/-/' component in the URL (which is used as a
          delineator for Remote Assertions <a class='info' href='#remote-assertions'>Section&nbsp;5.2.2<span> (</span><span class='info'>Remote Assertions</span><span>)</span></a>) and can normally be implemented
          using symbolic links or web server configuration.
</p>
<a name="anchor12"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.5.2.1.1"></a><h3>5.2.1.1.&nbsp;
Examples</h3>

<a name="anchor13"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.5.2.1.1.1"></a><h3>5.2.1.1.1.&nbsp;
Generic</h3>

<p>This example shows a client retrieving the ISO 3166-1 country
              code(s) from which the cloud.example.com service is being
              provided.
</p><div style='display: table; width: 0; margin-left: 3em; margin-right: auto'><pre>&lt; GET /.well-known/cloudaudit/service/org/iso/3166-1 HTTP/1.1
&lt; Host: cloud.example.com
&lt;
&gt; HTTP/1.1 200 OK
&gt; Content-Length: 3
&gt; Content-Type: text/plain
&gt;
&gt; US</pre></div>
<a name="anchor14"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.5.2.1.1.2"></a><h3>5.2.1.1.2.&nbsp;
Compliance - Human Readable Response</h3>

<p>This example shows a client retrieving a response to a
              control section 15.3.1 of ISO 27002 (v2005) from which the
              cloud.example.com service is being provided. The response is
              valid HTML and intended to be human readable.
</p><div style='display: table; width: 0; margin-left: 3em; margin-right: auto'><pre>&lt; GET /.well-known/cloudaudit/service//org/iso/27002/v2005/15/3/1 HTTP/1.1
&lt; Host: cloud.example.com
&lt;
&gt; HTTP/1.1 200 OK
&gt; Content-Length: 822
&gt; Content-Type: text/html
&gt;
&gt; &lt;html&gt;
&gt; &lt;body&gt;
&gt; &lt;head&gt;
&gt; &lt;title&gt;ISO 27002 v2005 15.3.1&lt;/title&gt;
&gt; &lt;/head&gt;
&gt; &lt;H1&gt;Information systems audit controls&lt;/H1&gt;
&gt; &lt;UL&gt;
&gt; &lt;LI&gt;&lt;a href="http://www.cloudhosting.com/.well-known/cloudaudit/org/iso/27002/v2005/15/3/1/auditschedule.xls"&gt;Audit Schedule&lt;/a&gt; - &lt;i&gt;the 2010 audit schedule for cloud hosting inc.&lt;/i&gt;
&gt; &lt;LI&gt;&lt;a href="http://www.cloudhosting.com/.well-known/cloudaudit/org/iso/27002/v2005/15/3/1/contract.pdf"&gt;KPWEY LLP Audit Contract&lt;/a&gt; - &lt;i&gt;The audit contract with KPWEY for external audit services&lt;/i&gt; - &lt;span&gt;The document details the services procured to support the audit plan; see page 14 for specific details.&lt;/span&gt;
&gt; &lt;LI&gt;&lt;a href="http://www.cloudhosting.com/.well-known/cloudaudit/org/iso/27002/v2005/15/3/1/auditscope.zip"&gt;Audit Scope&lt;/a&gt; - &lt;i&gt;The audit scope for the planned audits in 2010&lt;/i&gt;
&gt; &lt;/UL&gt;
&gt; &lt;/body&gt;
&gt; &lt;/html&gt;</pre></div>
<a name="anchor15"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.5.2.1.1.3"></a><h3>5.2.1.1.3.&nbsp;
Compliance - Atom Response</h3>

<p>This example shows a client retrieving a response to a
              control section 15.3.1 of ISO 27002 (v2005) from which the
              cloud.example.com service is being provided. The response is in
              an ATOM format <a class='info' href='#RFC4287'>[RFC4287]<span> (</span><span class='info'>Nottingham, M., Ed. and R. Sayre, Ed., &ldquo;The Atom Syndication Format,&rdquo; December&nbsp;2005.</span><span>)</span></a> and intended to be
              machine processed.
</p><div style='display: table; width: 0; margin-left: 3em; margin-right: auto'><pre>&lt; GET /.well-known/cloudaudit/service//org/iso/27002/v2005/15/3/1/manifest.xml HTTP/1.1
&lt; Host: cloud.example.com
&lt;
&gt; HTTP/1.1 200 OK
&gt; Content-Length: 3432
&gt; Content-Type: text/xml
&gt;
&gt; &lt;?xml version="1.0" encoding="UTF-8"?&gt;
&gt; &lt;feed xmlns="http://www.w3.org/2005/Atom"&gt;
&gt;    &lt;title&gt;ISO 27002 v2005 15.3.1&lt;/title&gt;
&gt;    &lt;link href="http://www.cloudhosting.com/.well-known/cloudaudit/org/iso/27002/v2005/15/3/1/" rel="self"/&gt;
&gt;    &lt;id&gt;http://www.cloudhosting.com/.well-known/cloudaudit/org/iso/27002/v2005/15/3/1/&lt;/id&gt;
&gt;    &lt;subtitle&gt;Information systems audit controls&lt;/subtitle&gt;
&gt;    &lt;updated&gt;2010-01-13T18:30:02Z&lt;/updated&gt;
&gt;    &lt;generator uri="http://cloudaudit.org/development/bootstrap.tgz" version="1.0"&gt;Cloud Audit Manual Bootstrap Package&lt;/generator&gt;
&gt;    &lt;author&gt;
&gt;        &lt;name&gt;Jon James&lt;/name&gt;
&gt;        &lt;email&gt;jonjames@cloudhosting.com&lt;/email&gt;
&gt;    &lt;/author&gt;
&gt;    &lt;rights type="text"&gt;Copyright (c) 2009, Cloud Hosting Inc.&lt;/rights&gt;
&gt;    &lt;category term="/iso/27002/v2005/" label="ISO 27002 v5"/&gt;
&gt;
&gt;    &lt;entry&gt;
&gt;        &lt;title&gt;Audit Schedule&lt;/title&gt;
&gt;        &lt;link href="http://www.cloudhosting.com/.well-known/cloudaudit/org/iso/27002/v2005/15/3/1/auditschedule.xls" type="application/msexcel" rel="related"&gt;&lt;/link&gt;
&gt;        &lt;id&gt;http://www.cloudhosting.com/.well-known/cloudaudit/org/iso/27002/v2005/15/3/1/auditschedule.xls&lt;/id&gt;
&gt;        &lt;updated&gt;2009-12-28T12:24:02Z&lt;/updated&gt;
&gt;        &lt;summary&gt;the 2010 audit schedule for cloud hosting inc.&lt;/summary&gt;
&gt;        &lt;author&gt;
&gt;            &lt;name&gt;Eric Smith&lt;/name&gt;
&gt;            &lt;email&gt;ericsmith@cloudhosting.com&lt;/email&gt;
&gt;        &lt;/author&gt;
&gt;        &lt;contributor&gt;
&gt;            &lt;name&gt;Mary Huxley&lt;/name&gt;
&gt;            &lt;email&gt;maryhuxley@kpwey.com&lt;/email&gt;
&gt;            &lt;uri&gt;http://www.kpwey.com&lt;/uri&gt;
&gt;        &lt;/contributor&gt;
&gt;    &lt;/entry&gt;
&gt;
&gt;    &lt;entry&gt;
&gt;        &lt;title&gt;KPWEY LLP Audit Contract&lt;/title&gt;
&gt;        &lt;link href="http://www.cloudhosting.com/.well-known/cloudaudit/org/iso/27002/v2005/15/3/1/contract.pdf" type="application/pdf" rel="related"&gt;&lt;/link&gt;
&gt;        &lt;id&gt;http://www.cloudhosting.com/.well-known/cloudaudit/org/iso/27002/v2005/15/3/1/contract.pdf&lt;/id&gt;
&gt;        &lt;updated&gt;2009-01-12T11:45:02Z&lt;/updated&gt;
&gt;        &lt;summary&gt;The audit contract with KPWEY for external audit services&lt;/summary&gt;
&gt;        &lt;content type="text" xml:lang="en"&gt;
&gt;            The document details the services procured to support the audit plan; see page 14 for specific details.
&gt;        &lt;/content&gt;
&gt;        &lt;author&gt;
&gt;            &lt;name&gt;Eric Smith&lt;/name&gt;
&gt;            &lt;email&gt;ericsmith@cloudhosting.com&lt;/email&gt;
&gt;        &lt;/author&gt;
&gt;        &lt;contributor&gt;
&gt;            &lt;name&gt;Mary Huxley&lt;/name&gt;
&gt;            &lt;email&gt;maryhuxley@kpwey.com&lt;/email&gt;
&gt;            &lt;uri&gt;http://www.kpwey.com&lt;/uri&gt;
&gt;        &lt;/contributor&gt;
&gt;    &lt;/entry&gt;
&gt;
&gt;    &lt;entry&gt;
&gt;        &lt;title&gt;Audit Scope&lt;/title&gt;
&gt;        &lt;link href="http://www.cloudhosting.com/.well-known/cloudaudit/org/iso/27002/v2005/15/3/1/auditscope.zip" type="application/zip" rel="related"&gt;&lt;/link&gt;
&gt;        &lt;id&gt;http://www.cloudhosting.com/.well-known/cloudaudit/org/iso/27002/v2005/15/3/1/auditscope.zip&lt;/id&gt;
&gt;        &lt;updated&gt;2009-12-28T12:25:02Z&lt;/updated&gt;
&gt;        &lt;summary&gt;The audit scope for the planned audits in 2010&lt;/summary&gt;
&gt;        &lt;author&gt;
&gt;            &lt;name&gt;Sarah Chan&lt;/name&gt;
&gt;            &lt;email&gt;sarahchan@cloudhosting.com&lt;/email&gt;
&gt;        &lt;/author&gt;
&gt;        &lt;contributor&gt;
&gt;            &lt;name&gt;David Kohl&lt;/name&gt;
&gt;            &lt;email&gt;davidkohl@kpwey.com&lt;/email&gt;
&gt;        &lt;/contributor&gt;
&gt;        &lt;contributor&gt;
&gt;            &lt;name&gt;Mary Huxley&lt;/name&gt;
&gt;            &lt;email&gt;maryhuxley@kpwey.com&lt;/email&gt;
&gt;            &lt;uri&gt;http://www.kpwey.com&lt;/uri&gt;
&gt;        &lt;/contributor&gt;
&gt;    &lt;/entry&gt;
&gt; &lt;/feed&gt;
</pre></div>
<a name="anchor16"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.5.2.1.1.4"></a><h3>5.2.1.1.4.&nbsp;
Compliance - Non-Existent</h3>

<p>This example shows a client atempting to retrieve a non
              existent response to a control section of NIST SP800-53 (Rev 2)
              from which the cloud.example.com service is being provided.
</p><div style='display: table; width: 0; margin-left: 3em; margin-right: auto'><pre>&lt; GET /.well-known/cloudaudit/glossary/gov/nist/crc/sp800-53/r2/cp-2 HTTP/1.1
&lt; Host: cloud.example.com
&lt;
&gt; HTTP/1.1 404 Not Found
&gt; Content-Length: 148
&gt; Content-Type: text/html
&gt;
&gt; &lt;html&gt;
&gt; &lt;head&gt;
&gt; &lt;title&gt;404 Not Found&lt;/title&gt;
&gt; &lt;/head&gt;&lt;body&gt;&lt;h1&gt;Error: Not Found&lt;/h1&gt;
&gt; &lt;h2&gt;The requested URL was not found on this server.&lt;/h2&gt;
&gt; &lt;/body&gt;
&gt; &lt;/html&gt;</pre></div>
<a name="remote-assertions"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.5.2.2"></a><h3>5.2.2.&nbsp;
Remote Assertions</h3>

<p>There are a number of scenarios where it is necessary to answer
          CloudAudit queries on behalf of others, including:</p>
<ul class="text">
<li>Responding to queries on behalf of multiple servers
</li>
<li>Responding to queries from multiple clients
</li>
<li>Proxying in order to supplement or override assertions
</li>
<li>Incompatibilities with existing systems and software that
              prevents co-location
</li>
</ul>

<p>Remote assertions are supported by embedding both the name (e.g.
          cloud.example.com) and the assertion queried (e.g. 3166-1.iso.org)
          in the URL. The name and assertion MUST be delineated with a '/-/'
          URL component as they may vary in length.
</p>
<a name="anchor17"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.5.2.2.1"></a><h3>5.2.2.1.&nbsp;
Examples</h3>

<p>This example shows a client retrieving the ISO 3166-1 country
            code(s) from which the cloud.example.com service is being
            provided, from the remote server cloudaudit.net.
</p><div style='display: table; width: 0; margin-left: 3em; margin-right: auto'><pre>&lt; GET /.well-known/cloudaudit/service/com/example/cloud/-/org/iso/3166-1 HTTP/1.1
&lt; Host: cloudaudit.net
&lt;
&gt; HTTP/1.1 200 OK
&gt; Content-Length: 3
&gt; Content-Type: text/plain
&gt;
&gt; US</pre></div>
<a name="anchor18"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.5.2.3"></a><h3>5.2.3.&nbsp;
Third-party Assertions</h3>

<p>It may be necessary for third-parties to make assertions, for
          example where an auditor certifies compliance with a given standard
          at a given time. This can be achieved either by retrieving a trusted
          representation (for example, an image containing a physical
          signature, or a digitally signed document) from the first-party or
          by being redirected to a third-party and retrieving the assertion
          directly from them.
</p>
<a name="anchor19"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.6"></a><h3>6.&nbsp;
Digital Signatures</h3>

<p>Digital signatures allow clients to verify the integrity of the
      assertions (both first-party and third-party).
</p>
<a name="IANA"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.7"></a><h3>7.&nbsp;
IANA Considerations</h3>

<p>This document makes no request of IANA.
</p>
<p>Note to RFC Editor: this section may be removed on publication as an
      RFC.
</p>
<a name="anchor20"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.8"></a><h3>8.&nbsp;
Security Considerations</h3>

<p>The content of CloudAudit repositories MAY NOT be secure, private or
      integrity-guaranteed, and due caution should be exercised. Clients
      SHOULD use Transport Layer Security (TLS) <a class='info' href='#RFC5246'>[RFC5246]<span> (</span><span class='info'>Dierks, T. and E. Rescorla, &ldquo;The Transport Layer Security (TLS) Protocol Version 1.2,&rdquo; August&nbsp;2008.</span><span>)</span></a>
      or equivalent to ensure confidentiality and integrity when accessing
      CloudAudit repositories over a public network such as the Internet.
</p>
<p>The Domain Name System (DNS) MAY be susceptible to attacks and care
      should be taken to authenticate servers, for example by verifying the
      chain of trust and infromation contained in SSL certificates provided,
      by using a Virtual Private Network (VPN) service, by relying on DNSSEC
      <a class='info' href='#RFC4033'>[RFC4033]<span> (</span><span class='info'>Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, &ldquo;DNS Security Introduction and Requirements,&rdquo; March&nbsp;2005.</span><span>)</span></a>, etc.
</p>
<p>Malicious clients MAY seek to obtain sensitive information via
      CloudAudit which could then be used to launch an attack. Such
      information should only be made available to authorised clients who have
      been authenticated via HTTP authentication <a class='info' href='#RFC2617'>[RFC2617]<span> (</span><span class='info'>Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., Leach, P., Luotonen, A., and L. Stewart, &ldquo;HTTP Authentication: Basic and Digest Access Authentication,&rdquo; June&nbsp;1999.</span><span>)</span></a> or equivalent.
</p>
<p>Servers may make false first-party assertions or may refer to
      third-party assertions that do not apply to them, or that expand the
      scope of the intended meaning. Clients that do not trust servers may
      choose only to rely on trusted third-party assertions, in which case the
      integrity of the assertion SHOULD be verified by transferring it over
      Transport Layer Security (TLS) <a class='info' href='#RFC5246'>[RFC5246]<span> (</span><span class='info'>Dierks, T. and E. Rescorla, &ldquo;The Transport Layer Security (TLS) Protocol Version 1.2,&rdquo; August&nbsp;2008.</span><span>)</span></a> or
      equivalent or by verifying a digital signature applied to the assertion
      using OpenPGP <a class='info' href='#RFC4880'>[RFC4880]<span> (</span><span class='info'>Callas, J., Donnerhacke, L., Finney, H., Shaw, D., and R. Thayer, &ldquo;OpenPGP Message Format,&rdquo; November&nbsp;2007.</span><span>)</span></a> or equivalent
</p>
<a name="Acknowledgements"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.9"></a><h3>9.&nbsp;
Acknowledgements</h3>

<p>The authors would like to acknowledge all members of the CloudAudit
      Working Group, editors of framework specification documents (including
      Doug Barbin, Mike Versace, James Arlen and Dave Lewis), the publishers
      of frameworks (including ISACA, HHS, ISO, NIST and PCI) and early
      adopters of the standard.
</p>
<a name="rfc.references"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.10"></a><h3>10.&nbsp;
References</h3>

<a name="rfc.references1"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<h3>10.1.&nbsp;Normative References</h3>
<table width="99%" border="0">
<tr><td class="author-text" valign="top"><a name="RFC2119">[RFC2119]</a></td>
<td class="author-text"><a href="mailto:sob@harvard.edu">Bradner, S.</a>, &ldquo;<a href="http://tools.ietf.org/html/rfc2119">Key words for use in RFCs to Indicate Requirement Levels</a>,&rdquo; BCP&nbsp;14, RFC&nbsp;2119, March&nbsp;1997 (<a href="http://www.rfc-editor.org/rfc/rfc2119.txt">TXT</a>, <a href="http://xml.resource.org/public/rfc/html/rfc2119.html">HTML</a>, <a href="http://xml.resource.org/public/rfc/xml/rfc2119.xml">XML</a>).</td></tr>
<tr><td class="author-text" valign="top"><a name="RFC2616">[RFC2616]</a></td>
<td class="author-text"><a href="mailto:fielding@ics.uci.edu">Fielding, R.</a>, <a href="mailto:jg@w3.org">Gettys, J.</a>, <a href="mailto:mogul@wrl.dec.com">Mogul, J.</a>, <a href="mailto:frystyk@w3.org">Frystyk, H.</a>, <a href="mailto:masinter@parc.xerox.com">Masinter, L.</a>, <a href="mailto:paulle@microsoft.com">Leach, P.</a>, and <a href="mailto:timbl@w3.org">T. Berners-Lee</a>, &ldquo;<a href="http://tools.ietf.org/html/rfc2616">Hypertext Transfer Protocol -- HTTP/1.1</a>,&rdquo; RFC&nbsp;2616, June&nbsp;1999 (<a href="http://www.rfc-editor.org/rfc/rfc2616.txt">TXT</a>, <a href="http://www.rfc-editor.org/rfc/rfc2616.ps">PS</a>, <a href="http://www.rfc-editor.org/rfc/rfc2616.pdf">PDF</a>, <a href="http://xml.resource.org/public/rfc/html/rfc2616.html">HTML</a>, <a href="http://xml.resource.org/public/rfc/xml/rfc2616.xml">XML</a>).</td></tr>
<tr><td class="author-text" valign="top"><a name="RFC2617">[RFC2617]</a></td>
<td class="author-text"><a href="mailto:john@math.nwu.edu">Franks, J.</a>, <a href="mailto:pbaker@verisign.com">Hallam-Baker, P.</a>, <a href="mailto:jeff@AbiSource.com">Hostetler, J.</a>, <a href="mailto:lawrence@agranat.com">Lawrence, S.</a>, <a href="mailto:paulle@microsoft.com">Leach, P.</a>, Luotonen, A., and <a href="mailto:stewart@OpenMarket.com">L. Stewart</a>, &ldquo;<a href="http://tools.ietf.org/html/rfc2617">HTTP Authentication: Basic and Digest Access Authentication</a>,&rdquo; RFC&nbsp;2617, June&nbsp;1999 (<a href="http://www.rfc-editor.org/rfc/rfc2617.txt">TXT</a>, <a href="http://xml.resource.org/public/rfc/html/rfc2617.html">HTML</a>, <a href="http://xml.resource.org/public/rfc/xml/rfc2617.xml">XML</a>).</td></tr>
<tr><td class="author-text" valign="top"><a name="RFC3986">[RFC3986]</a></td>
<td class="author-text"><a href="mailto:timbl@w3.org">Berners-Lee, T.</a>, <a href="mailto:fielding@gbiv.com">Fielding, R.</a>, and <a href="mailto:LMM@acm.org">L. Masinter</a>, &ldquo;<a href="http://tools.ietf.org/html/rfc3986">Uniform Resource Identifier (URI): Generic Syntax</a>,&rdquo; STD&nbsp;66, RFC&nbsp;3986, January&nbsp;2005 (<a href="http://www.rfc-editor.org/rfc/rfc3986.txt">TXT</a>, <a href="http://xml.resource.org/public/rfc/html/rfc3986.html">HTML</a>, <a href="http://xml.resource.org/public/rfc/xml/rfc3986.xml">XML</a>).</td></tr>
<tr><td class="author-text" valign="top"><a name="RFC4033">[RFC4033]</a></td>
<td class="author-text">Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, &ldquo;<a href="http://tools.ietf.org/html/rfc4033">DNS Security Introduction and Requirements</a>,&rdquo; RFC&nbsp;4033, March&nbsp;2005 (<a href="http://www.rfc-editor.org/rfc/rfc4033.txt">TXT</a>).</td></tr>
<tr><td class="author-text" valign="top"><a name="RFC4287">[RFC4287]</a></td>
<td class="author-text"><a href="mailto:mnot@pobox.com">Nottingham, M., Ed.</a> and <a href="mailto:rfsayre@boswijck.com">R. Sayre, Ed.</a>, &ldquo;<a href="http://tools.ietf.org/html/rfc4287">The Atom Syndication Format</a>,&rdquo; RFC&nbsp;4287, December&nbsp;2005 (<a href="http://www.rfc-editor.org/rfc/rfc4287.txt">TXT</a>, <a href="http://xml.resource.org/public/rfc/html/rfc4287.html">HTML</a>, <a href="http://xml.resource.org/public/rfc/xml/rfc4287.xml">XML</a>).</td></tr>
<tr><td class="author-text" valign="top"><a name="RFC4880">[RFC4880]</a></td>
<td class="author-text">Callas, J., Donnerhacke, L., Finney, H., Shaw, D., and R. Thayer, &ldquo;<a href="http://tools.ietf.org/html/rfc4880">OpenPGP Message Format</a>,&rdquo; RFC&nbsp;4880, November&nbsp;2007 (<a href="http://www.rfc-editor.org/rfc/rfc4880.txt">TXT</a>).</td></tr>
<tr><td class="author-text" valign="top"><a name="RFC5246">[RFC5246]</a></td>
<td class="author-text">Dierks, T. and E. Rescorla, &ldquo;<a href="http://tools.ietf.org/html/rfc5246">The Transport Layer Security (TLS) Protocol Version 1.2</a>,&rdquo; RFC&nbsp;5246, August&nbsp;2008 (<a href="http://www.rfc-editor.org/rfc/rfc5246.txt">TXT</a>).</td></tr>
<tr><td class="author-text" valign="top"><a name="W3C.REC-html401-19991224">[W3C.REC-html401-19991224]</a></td>
<td class="author-text">Hors, A., Jacobs, I., and D. Raggett, &ldquo;<a href="http://www.w3.org/TR/1999/REC-html401-19991224">HTML 4.01 Specification</a>,&rdquo; World Wide Web Consortium Recommendation&nbsp;REC-html401-19991224, December&nbsp;1999 (<a href="http://www.w3.org/TR/1999/REC-html401-19991224">HTML</a>).</td></tr>
</table>

<a name="rfc.references2"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<h3>10.2.&nbsp;Informative References</h3>
<table width="99%" border="0">
</table>

<a name="anchor23"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<a name="rfc.section.A"></a><h3>Appendix A.&nbsp;
Initial Registry Contents</h3>

<p>The CloudAudit registry's initial contents are:</p>
<ul class="text">
<li>Assertion Name: org.iso.3166-1
</li>
<li>Description: Codes for the representation of names of countries
          and their subdivisions -- Part 1: Country codes
</li>
<li>Reference: http://www.iso.org/iso/iso-3166-1_decoding_table
</li>
</ul>

<a name="rfc.authors"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc">&nbsp;TOC&nbsp;</a></td></tr></table>
<h3>Authors' Addresses</h3>
<table width="99%" border="0" cellpadding="0" cellspacing="0">
<tr><td class="author-text">&nbsp;</td>
<td class="author-text">Christofer Hoff</td></tr>
<tr><td class="author-text">&nbsp;</td>
<td class="author-text">Cisco Systems</td></tr>
<tr><td class="author-text">&nbsp;</td>
<td class="author-text">200 Beaver Brook Road</td></tr>
<tr><td class="author-text">&nbsp;</td>
<td class="author-text">Building 200</td></tr>
<tr><td class="author-text">&nbsp;</td>
<td class="author-text">Boxborough, MA  01719</td></tr>
<tr><td class="author-text">&nbsp;</td>
<td class="author-text">USA</td></tr>
<tr><td class="author" align="right">Phone:&nbsp;</td>
<td class="author-text">+1.9786310302</td></tr>
<tr><td class="author" align="right">Email:&nbsp;</td>
<td class="author-text"><a href="mailto:hoffc@cisco.com">hoffc@cisco.com</a></td></tr>
<tr cellpadding="3"><td>&nbsp;</td><td>&nbsp;</td></tr>
<tr><td class="author-text">&nbsp;</td>
<td class="author-text">Sam Johnston</td></tr>
<tr><td class="author-text">&nbsp;</td>
<td class="author-text">Google</td></tr>
<tr><td class="author-text">&nbsp;</td>
<td class="author-text">Brandschenkestrasse 110</td></tr>
<tr><td class="author-text">&nbsp;</td>
<td class="author-text">Zurich,   8002</td></tr>
<tr><td class="author-text">&nbsp;</td>
<td class="author-text">Switzerland</td></tr>
<tr><td class="author" align="right">Phone:&nbsp;</td>
<td class="author-text">+41.446681679</td></tr>
<tr><td class="author" align="right">Email:&nbsp;</td>
<td class="author-text"><a href="mailto:sj@google.com">sj@google.com</a></td></tr>
<tr cellpadding="3"><td>&nbsp;</td><td>&nbsp;</td></tr>
<tr><td class="author-text">&nbsp;</td>
<td class="author-text">George Reese</td></tr>
<tr><td class="author-text">&nbsp;</td>
<td class="author-text">enStratus</td></tr>
<tr><td class="author-text">&nbsp;</td>
<td class="author-text">1201 Marquette Ave</td></tr>
<tr><td class="author-text">&nbsp;</td>
<td class="author-text">Suite 150</td></tr>
<tr><td class="author-text">&nbsp;</td>
<td class="author-text">Minneapolis, MN  55403</td></tr>
<tr><td class="author-text">&nbsp;</td>
<td class="author-text">USA</td></tr>
<tr><td class="author" align="right">Phone:&nbsp;</td>
<td class="author-text">+1.6127463091</td></tr>
<tr><td class="author" align="right">Email:&nbsp;</td>
<td class="author-text"><a href="mailto:george.reese@enstratus.com">george.reese@enstratus.com</a></td></tr>
<tr cellpadding="3"><td>&nbsp;</td><td>&nbsp;</td></tr>
<tr><td class="author-text">&nbsp;</td>
<td class="author-text">Ben Sapiro</td></tr>
<tr><td class="author-text">&nbsp;</td>
<td class="author-text">TELUS Security Labs</td></tr>
<tr><td class="author-text">&nbsp;</td>
<td class="author-text">25 York Street</td></tr>
<tr><td class="author-text">&nbsp;</td>
<td class="author-text">Toronto  M5J 2V5</td></tr>
<tr><td class="author-text">&nbsp;</td>
<td class="author-text">Canada</td></tr>
<tr><td class="author" align="right">Phone:&nbsp;</td>
<td class="author-text">+1.6478899432</td></tr>
<tr><td class="author" align="right">Email:&nbsp;</td>
<td class="author-text"><a href="mailto:ben@sapiro.net">ben@sapiro.net</a></td></tr>
</table>
</body></html>

